Adaptive Safety with Control Barrier Functions

Adaptive Safety with Control Barrier Functions

Andrew J. Taylor and Aaron D. Ames

Abstract— Adaptive Control Lyapunov Functions (aCLFs) were introduced 20 years ago, and provided a Lyapunov-based methodology for stabilizing systems with parameter uncertainty. The goal of this paper is to revisit this classic formulation in the context of safety-critical control. This will motivate a variant of aCLFs in the context of safety: adaptive Control Barrier Functions (aCBFs). Our proposed approach adaptively achieves safety by keeping the systems state within a safe set even in the presence of parametric model uncertainty. We unify aCLFs and aCBFs into a single control methodology for systems with uncertain parameters in the context of a Quadratic Program (QP) based framework. We validate the ability of this unified framework to achieve stability and safety in an adaptive cruise control (ACC) simulation.

I. INTRODUCTION

In many modern control applications, safety is of critical importance. It is impossible to model the system dynamics in these applications exactly—that is, parameters of the model may not match the real system. For instance, the mass and electrical properties of robotic systems are often approximate values. Thus, to truly enforce safety, it is necessary to quantify safety in the context of unknown parameters.

The use of Control Barrier Functions (CBFs) [1], [2] for ensuring safety of nonlinear control systems has become increasingly popular [18], [25], [26]. Controllers synthesized via CBFs rely on a model, and the guarantees they achieve may fail in the presence of model uncertainty. Robust control methods can ensure safety [7], [28] or quantify how safety properties degrade [9] in the presence of model uncertainty, but may be overly conservative in restricting the behavior of the system. Data-driven methods employing machine learning [19], [5] provide probabilistic safety guarantees, but may require episodic, offline training to improve model estimates [6].

In this paper, we focus on an online, adaptive approach to ensuring that a system remains safe in the presence of model uncertainty. Adaptive control seeks to update a model of the system as it evolves to achieve stability or a desired level of performance [10]. In particular, we build upon the idea of adaptive Control Lyapunov Functions (aCLFs) [11], which have been used to stabilize nonlinear systems in the presence of parametric model uncertainty [12], [13], [15]. That is, the goal of this paper is to find conditions for adaptive safety (via Control Barrier Functions) equivalent to those derived for adaptive stability (via Control Lyapunov Functions).

One challenge in developing adaptive control methods that guarantee safety is ensuring that the a nonlinear system’s Both authors are with the Department of Computing and Mathematical Sciences, California Institute of Technology, Pasadena, CA 91125, USA

[email protected], [email protected]

state remains within a prescribed safe set at all times. In contrast, guarantees on stability provided by aCLFs describe the behavior of the state and parameter estimation error jointly, allowing the state to grow large before stabilizing, as long as the parameter estimation error diminishes. To achieve this stricter guarantee of safety, we leverage stronger assumptions on the initial parameter estimation error. The end result are conditions for safety even under the presence of model uncertainty, i.e., that a system with unknown parameters can be rendered safe for all time.

The main contribution of this paper is a formal method-ology for ensuring safety in nonlinear (control affine) sys-tems with parameter uncertainty through the formulation of adaptive Control Barrier Functions (aCBFs). Like aCLFs, aCBFs provide a framework for updating model parameter estimates online, but do so to ensure safety. Unlike aCLFs, aCBFs require a different viewpoint on adaptive control to make stronger statements on the behavior of the system’s state. To the best of our knowledge, our approach is the first that adaptively ensures safety utilizing CBFs. The definitions and results in this paper provide the first steps towards a framework for adaptive safety unifying both online and data-driven, episodic updates of model parameters.

This paper is organized as follows. Section II reviews CLFs and aCLFs and how quadratic program based con-trollers can be synthesized to adaptively stabilize a system. Section III discusses CBFs and how they can be used to ensure the safety of a system. Section IV provides the main result of the paper by defining aCBFs, and shows how a sys-tem can be rendered adaptively safe in the presence of model uncertainty. Section V offers a discussion on the assumptions and constraints made in the preceding section through a counter example. Section VI presents simulation results for an adaptive cruise control (ACC) system using both a safety-critical controller and a quadratic program based controller implementing an aCLF and an aCBF simultaneously.

II. ADAPTIVECONTROLLYAPUNOVFUNCTIONS To develop provably correct controllers for nonlinear sys-tems, it is typically assumed that the model is known. Yet there are many practical applications where this assumption is not adequate. A simple illustration is a mechanical system whose parameters (masses, inertias, etc) are not completely known—and one may not want to treat the unknown model parameters as a perturbation from nominal parameters since this would only guarantee stability to a region corresponding to a bound on this difference (which also may not be known). The purpose of this section, therefore, is to review the framework of adaptive Control Lyapunov Functions.

Consider a state space X ⊂ Rn and a control input space U ⊂ Rm_{, where it is assumed X is path-connected and 0 ∈}

X . Consider the affine dynamic system given by:

˙x = f (x) + g(x)u (1)

where x ∈ X , u ∈ U , f : X → Rn and g : X → Rn×m are smooth on X . We additionally assume f (0) = 0. We will use the following definition, found in [8], to study the stability of (1).

Definition 1 (Class K Function). A continuous function α : [0, a) → R+, with a > 0, is a class K function (α ∈ K)

if α(0) = 0 and α is strictly monotonically increasing. If a = ∞ and limr→∞α(r) = ∞, then α is said to be a class

K∞ function (α ∈ K∞).

Given this definition, we can define a Control Lyapunov Function (CLF) as in [3], [14].

Definition 2 (Control Lyapunov Function (CLF)). A smooth function V : X → R+ is a Control Lyapunov Function

(CLF) for (1) if there exists α1, α2, α3∈ K∞ such that:

α1(kxk) ≤ V (x) ≤ α2(kxk) (2) inf u∈U ˙ V (x, u) ≤ −α3(kxk) (3) for all x ∈ X .

This definition can be constructed with α1, α2, α3 ∈

K, with resulting stability guarantees holding locally. The existence of a CLF for (1) implies there exists a smooth (except at x = 0) state-feedback controller k : X → U , that renders the origin globally asymptotically stable [3], [22], noting that global refers to the state space X . k can be made continuous at 0 if V satisfies the small control property [23]. Following the classic formulation of aCLFs in [11], un-certainty in the dynamics (1) appears as:

˙x = f (x) + F(x)θ?+ g(x)u, (4) where θ?∈ Θ ⊂ Rp_{is a vector of unknown parameters and}

F : X → Rn×p_{is assumed to be smooth on X with F(0) =}

0. The impossibility of designing explicit controllers that are robust to unbounded unknown parameters suggests that we need to consider a larger class of controllers to stabilize (4). In particular, controllers that update an estimate of the unknown parameters. These are called adaptive controllers, and take the form:

u = k(x, bθ) (5)

˙ b

θ = Γτ (x, bθ), (6)

where bθ ∈ Θ represents an estimate of the parameters θ? maintained by the controller, Γ ∈ Rn×n is a matrix adaptive gain, and τ : X × Θ → Rp is the adaptation law. We make the following assumption on these functions:

(A1) k is locally Lipschitz continuous on (X \{0}) × Θ and k(0, bθ) = 0,

(A2) τ is locally Lipschitz continuous on X × Θ, (A3) _{Γ ∈ R}p×p_{is symmetric and positive-definite.}

Introducing this parameter update results in a composite dynamic system: " ˙x ˙ b θ # = " f (x) + F(x)θ?+ g(x)k(x, bθ) Γτ (x, bθ) # (7) Solutions to this system evolve in X × Θ. Given this construction we introduce the following definition from [11]: Definition 3 (Globally Adaptively Stabilizable). The system with unknown parameters (4) is globally adaptively stabiliz-ableif there exists a dynamic controller of the form (5)-(6) satisfying (A1)-(A3) such that solutions (x(t), bθ(t)) of (7) are globally bounded and limt→∞x(t) = 0.

Remark 1. Note that the requirements for global adaptive stabilizability are rather weak in the sense that bθ is not required to converge to θ?. We will see, in fact, that convergence of bθ to θ?is not necessary for x(t) to converge to the equilibrium.

The strategy in designing adaptive controllers is to show that this problem is equivalent to a non-adaptive controller design problem. Such equivalence is shown via the notion of adaptive control Lyapunov functions as in [11]:

Definition 4 (Adaptive Control Lyapunov Function (aCLF)). Let α1(·, θ), α2(·, θ), α3(·, θ) ∈ K∞ for all θ ∈ Θ. A

smooth function Va: X × Θ → R+, satisfying:

α1(kxk, θ) ≤ Va(x, θ) ≤ α2(kxk, θ), (8)

is called an adaptive Control Lyapunov Function (aCLF) for (4) if there exists a symmetric positive-definite matrix Γ ∈ Rp×psuch that for every θ ∈ Θ, Va is a CLF for the system:

˙x = f (x) + F(x)λclf(x, θ) + g(x)u, (9) where λclf(x, θ) , θ + Γ  ∂Va ∂θ (x, θ) T . (10) That is, inf u∈U  ∂Va ∂x (f (x) + F(x)λclf(x, θ) + g(x)u)  ≤ −α3(kxk, θ). (11)

Adaptive control Lyapunov functions can be used to obtain the following result establishing the equivalence between the original adaptive controller design problem and a non-adaptive one.

Theorem 1. [11] System (4) is globally adaptively stabiliz-able iff there exists an aCLF for(4).

It is useful to give a sketch of the proof for the sufficiency portion of this result, as it will inform the proof of the analogous result in the context of control safety functions. Sketch. Assume that we have an aCLF Va for (4). As Va

is a CLF for (9) with θ = ˆθ, we can construct a smooth (away from x = 0) controller u = k(x, bθ) stabilizing (9) (a specific example of a Lipschitz continuous controller will

be given after the proof), i.e., we can construct a controller u = k(x, bθ) such that:

L˜_f

clfVa(x, bθ) + LgVa(x, bθ)k(x, bθ) ≤ −α3(kxk, bθ), (12)

where ˜f is given by: ˜

fclf(x, bθ) = f (x) + F(x)λclf(x, bθ). (13)

We note that this controller only depends on the current estimate of the parameters bθ, and does not depend on the actual parameters θ?. Define the parameter error:

e

θ = θ?− bθ (14)

to be the difference between the actual and estimated pa-rameters. Consider now the candidate composite Lyapunov function: V (x, bθ) = Va(x, bθ) + 1 2eθ T Γ−1θ.e (15) Computing its derivative we obtain:

˙ V = V˙a− eθ T Γ−1θb˙ ≤ −α3(kxk, bθ) + eθ T a(x, bθ) − ∂Va ∂θ (x, bθ)  Γa(x, bθ). where: a(x, bθ) =  ∂Va ∂x (x, bθ)F(x) T − τ (x, bθ) ! . (16) It is now easy to see that using the update law

τ (x, bθ) = ∂Va ∂x(x, bθ)F(x) T (17) implies ˙ V ≤ −α3(kxk, bθ), (18)

from which we conclude that the equilibrium point (0, θ?) of (7) is globally stable. In particular, we see that (x(t), bθ(t)) is globally bounded. It now follows from the LaSalle invariance principle that x(t) converges to the largest invariant subset of the collection of points x ∈ X satisfying α3(kxk, bθ) = 0

which is the singleton x = 0.

As noted in the preceding proof, given an aCLF Va,

we can correspondingly synthesize a Lipschitz continuous controller u = k(x, bθ). This can be achieved in a point-wise optimal fashion by considering an optimization based control framework. In particular, since the aCLF condition (11) is satisfied, we can consider the following quadratic program: k(x, bθ) = argmin u∈U 1 2kuk 2 _(aCLF-QP) s.t. ∂Va ∂x(x, bθ)˜fclf(x, bθ) + g(x)u  ≤ −α3(kxk, bθ)

This QP based controller will be guaranteed to have a solution, again because (11) is satisfied, and is Lipschitz continuous [16]. Moreover, a closed form solution to this optimization problem, termed the min-norm controller, can

be obtained via the KKT conditions [4]. To see this, define: φ0(x, bθ) ,

∂Va

∂x(x, bθ)˜fclf(x, bθ) + α3(kxk, bθ) φT₁(x, b_{θ) ,} ∂Va

∂x(x, bθ)g(x)

wherein the solution to (aCLF-QP) follows from : k(x, bθ) = ( −φ0(x,bθ)φ1(x,bθ) φT 1(x,bθ)φ1(x,bθ) if φ0(x, bθ) > 0 0 if φ0(x, bθ) ≤ 0

III. CONTROLBARRIERFUNCTIONS

The goal of this work is to provably enforce safety, even in the context of uncertain models. As a result, we will leverage the framework of Control Barrier Functions (CBFs) [1], [2], [28]. This section, therefore, will review the basic concepts related to these functions and corresponding controller synthesis.

In the context of safety, we consider a set S defined as the 0-superlevel set of a continuously differentiable function h : X → R, yielding:

S _{, {x ∈ X | h(x) ≥ 0},} (19) ∂S _{, {x ∈ X | h(x) = 0},} (20) int(S) _{, {x ∈ X | h(x) > 0},} (21) We refer to S as the safe set.

Consider again the known dynamics (1). A feedback controller u = k(x) induces closed loop dynamics:

˙x = fcl(x) , f (x) + g(x)k(x) (22)

which is assumed to be locally Lipschitz continuous. This as-sumption implies that for any initial condition x0∈ X there

exists a maximum interval of existence I(x0) = [0, τmax)

such that x(t) is the unique solution to (22) on I(x0); in the

case when fclis forward complete, τmax= ∞. This notation

allows us to define forward invariance and safety:

Definition 5 (Forward Invariant). The set S is forward invariant if for every x0 ∈ S, x(t) ∈ S for x(0) = x0

and all t ∈ I(x0).

Definition 6 (Safety). The system (22) is safe with respect to the set S if the set S is forward invariant.

It is desirable to achieve safety without the need to specify a specific controller as was done in (22). This leads to the notion of Control Barrier Functions. Before defining these, we require the following definition as in [2]:

Definition 7 (Extended Class K Function). A continuous function α : (−b, a) → R, with a, b > 0, is an extended class K function (α ∈ Ke) if α(0) = 0 and α is strictly

monotonically increasing. If a, b = ∞, limr→∞α(r) = ∞,

limr→−∞α(r) = −∞. then α is said to be an extended

classK∞ function (α ∈ K∞,e).

This enables the following definition as in [2]:

Definition 8 (Control Barrier Function (CBF)). Let S ⊂ X be the 0-superlevel set of a continuously differentiable

function h : X → R. h is a Control Barrier Function (CBF) for S if there exists an extended class K∞ function α such

that for the system (1): sup

u∈U

[Lfh(x) + Lgh(x)u + α(h(x))] ≥ 0. (23)

for all x ∈ S.

We can consider the pointwise set consisting of all control values that render S safe:

Kcbf(x) = {u ∈ U : Lfh(x) + Lgh(x)u + α(h(x)) ≥ 0}.

(24) The main results of [1], [28] is that the existence of a CBF for S implies the system (1) can be rendered safe with respect to S:

Theorem 2. Given a set S ⊂ X defined as the 0-superlevel set of continuously differentiable functionh : X → R, if h is a CBF on S, then any Lipschitz continuous controller k such thatk(x) ∈ Kcbf(x) for all x ∈ S renders the system

(1) safe with respect to the set S.

In addition, if k(x) ∈ Kcbf(x) for all x ∈ X , then the set

S is asymptotically stable in X .

IV. ADAPTIVECONTROLBARRIERFUNCTIONS Motivated by the construction of adaptive control Lya-punov functions (aCLFs), we now explore the notion of an adaptive Control Barrier Function.

We again assume the control system has the form given in (4), wherein θ? is a set of unknown parameters, and extend the previous construction of the safe set S to be parameter dependent. In this case, we construct a family of safe sets parameterized by θ and defined as the 0-superlevel sets of a continuously differentiable function ha : X × Θ → R:

Sθ , {x ∈ X | ha(x, θ) ≥ 0}, (25)

∂Sθ , {x ∈ X | ha(x, θ) = 0}, (26)

int(Sθ) , {x ∈ X | ha(x, θ) > 0}, (27)

In particular, we will see this construction allows the states in the state space that are considered safe to change according to the current estimate of the parameters. If set in the state space to be kept safe is independent of the parameters, the preceding construction is identical to that in (19)-(21).

Given this construction, we can define adaptively safe in a similar fashion to the definition of global adaptively stabilizable given in Definition 3 (note that in this case we opt for a local rather than global definition).

Definition 9 (Adaptively Safe). The system with unknown parameters (4) can be rendered adaptively safe with respect to a family of sets S

b

θ if there exists a dynamic controller

of the form (5)-(6) satisfying (A1)-(A3) such that solutions (x(t), bθ(t)) of (7) controlled by (5)-(6) satisfy x(t) ∈ S_bθ(t) for all t ∈ I(x(0), bθ(0)).

This definition implies that the state of the system must remain within a potentially time-varying set, S

b

θ(t), even

in the presence of uncertainty in the dynamics. It is not necessary that the parameters converge, or even that they remain bounded, as in the adaptively stabilizable formulation. As will be seen, this is inherently connected to the fact that safety does not force the system to converge to an equilibrium point, but only requires it remains within a set. Before defining aCBFs, we also specify that a set of adaptive gains G is defined such that:

Γ ∈ G =⇒ Γ satisfies A(3). (28) We note that G need not be all values of Γ satisfying A(3). We can now define aCBFs as an extension of Definitions 4 and 8.

Definition 10 (Adaptive Control Barrier Function (aCBF)). Let Sθ ⊂ X be a family of 0-superlevel sets of a

contin-uously differentiable function ha : X × Θ → R, with ∂h_∂xa

Lipchitz continuous. Then ha is an adaptive control barrier

function(aCBF) on the family of sets Sθover adaptive gains

G for (4) if for any θ ∈ Θ and Γ ∈ G: sup u∈U  ∂ha ∂x(x, θ) (f (x) + F(x)λcbf(x, θ) + g(x)u)  ≥ 0. (29) with λcbf(x, θ) , θ − Γ  ∂ha ∂θ (x, θ) T . (30)

Let us make a few observations of this definition: Remark 2. As will be seen in the proof that an aCBF can ensure a system is adaptively safe, there is a requirement on the smallest eigenvalue of Γ. As not every value of Γ satisfying A(3) will satisfy this requirement, we must consider a restricted set of values for Γ, given by G. This leads to the incorporation of the set G in the definition of an aCBF. If the family of sets Sθ does not depend on θ, such

that:

∂ha

∂θ (x, θ) ≡ 0, (31)

then Γ will not appear in (29). This implies ha being an

aCBF for (4) will not depend on G.

Remark 3. The constraint in (29) differs from (23) in that the term α(ha(x, θ)) does not appear. Rather, this closely

resembles early definitions of barrier certificates and Lya-punov barrier functions[21], [27], [24], which did not allow the state to approach the boundary of the safe sets, enforcing forward invariance of level sets of ha. As will be shown in

Section V, using the constraint from (23) doesn’t lead to the state safe set remaining forward invariant.

We note that a QP-based Lipschitz continuous con-troller attaining safety can be constructed similarly to the (aCLF-QP) given an aCBF. We now have the necessary framework in which to present the main result of this paper— that the existence of an aCBF implies safety of the family of sets S

b

θ even under parameter uncertainty.

Theorem 3. Let ha : X → R be an adaptive control barrier

function on the family of setsS

b

e

θ(0) with keθ0k2≤ c for c > 0 and x0 = x(0) ∈ int(S_θb0)

If there exists a positive definite gain matrix, Γ ∈ G, such that:

λmin(Γ) ≥

c2 2ha(x0, bθ0)

, (32)

then there exists a Lipschitz continuous functionτ (x, bθ) such that for the update law:

˙ b

θ = Γτ (x, bθ), (33)

the family of sets S

b

θ is forward invariant.

The main idea is to approach the proof much in the same way as the proof of Theorem 1. Yet the construction of a composite CBF as was done in (15) in the case of aCLFs requires more care. Adding the parameter error term would result in the composite safety function 0-superlevel set properly containing the 0-superlevel set of the aCBF, adding additional states to the set that can be rendered safe. This extension of the safe set can be quantified if the parameter estimates (and thus the parameter error) remains bounded, as in the case of aCLFs, but this is not guaranteed given the necessary form of τ .

Proof. Define the following composite candidate CBF for the extended system dynamics (7):

h(x, bθ) = ha(x, bθ) −

1 2eθ

T

Γ−1eθ (34)

By assumption, x0∈ int(S_bθ0), implying that ha(x0, bθ0) >

0. Further, our assumption that keθ0k2≤ c implies that:

1 2 ˜ θ>₀Γ−1θ˜0≤ 1 2λmin(Γ) k˜θ0k22≤ c2 2λmin(Γ) (35) Therefore, choosing Γ such that

λmin(Γ) ≥ c2 2ha(x0, bθ0) (36) leads to: h(x0, bθ0) ≥ 0 (37)

Now consider the time derivative of h as given in Table I. The second equality follows the addition and subtraction of the term: ∂ha ∂x(x, bθ)F(x) bθ − Γ  ∂ha ∂θ (x, bθ) >! (38) The third equality is a rearrangement revealing the form of the aCBF time derivative as given in (29)-(30). In particular, condition (29) permits the choice of an input u such that the first inequality is satisfied. Choosing the update law τ as:

τ (x, bθ) = − ∂ha

∂x(x, bθ)F(x) >

(39) results in the last inequality. This inequality, in conjunction with (37) and the comparison lemma in [8] imply that

h(x(t), bθ(t)) ≥ 0 (40)

for all t ≥ 0. Given the construction of h in (34), it follows that: ha(x(t), bθ(t)) ≥ 1 2eθ(t) >_Γ−1 e θ(t) ≥ 0. (41) Lastly, we conclude that x(t) ∈ S

b

θ(t) for t ≥ 0.

The proof reveals that superlevel sets of h are forward invariant. As h can not be computed without knowing the true parameters θ?, it is not possible to set ˙h ≥ −α(h) as is typical with CBFs. Furthermore, we have that ha ≥ h,

implying that −α(ha) ≤ −α(h). Thus setting ˙h ≥ −α(ha)

does not yield the desired lower bound on ˙h. One may note that setting ˙h ≥ −α(ha) leads to ˙h ≥ 0 when ha = 0,

or when the state is on the boundary of the safe set. This fact is concurrent with the common forward invariance proof technique utilizing Nagumo’s theorem [17]. Despite this, it is in fact possible to construct simple examples (in R2_{) such}

that the state must leave the safe set defined by ha for any

choice of differentiable α and Γ as shown in Section V. Remark 4. The assumption on eθ implies that the initial pa-rameter error must be bounded, unlike the aCLF formulation. This is due to the fact that we seek to keep a particular set forward invariant. In contrast, the only set kept provably forward invariant in the aCLF formulation is the sublevel set of the composite Lyapunov function V corresponding to the initial conditions (x(0), bθ(0)). Evaluating that set would too require assumptions on the boundedness of eθ(0). Additionally, while this may seem restrictive, we note that the input for the system will not be chosen to be robust to all uncertainties in this initial uncertainty set. Rather, the uncertainty will be handled by adapting parameter estimates. Remark 5. The lower bound on the adaptive gain allows us to ensure that the system can adapt quickly enough to ensure safety from the given initial condition. Initial distance from the safety set boundary and smaller possible initial parameter error allow the adaptive gain to be made smaller.

A quadratic program based controller similar to (aCLF-QP) can be constructed using an aCBF. To this end, we adopt the safety-critical control formulation in [25], [7] that filters a desired but potentially unsafe controller kd: X × Θ → U to find the nearest safe control action:

k(x, bθ) = argmin u∈U 1 2ku − kd(x, bθ)k 2 _(aCBF-QP) s.t. ∂ha ∂x(x, bθ)(˜fcbf(x, bθ) + g(x)u) ≥ 0 where efcbf is defined like efclf in (13). As with (aCLF-QP),

this quadratic program has a closed form solution. V. ANALYSIS OF ACBF FORMULATION

In this section we analyze the aCBF conditions to verify that, in fact, they do not appear overly conservative. In partic-ular, changing the aCBF condition ˙ha ≥ 0 to ˙ha≥ −α(ha)

does not necessarily lead to adaptive safety. Consider the simple dynamic system given by:

˙

˙h(x,bθ, u) = ∂ha ∂x (x, bθ) (f (x) + F(x)θ ? + g(x)u) +∂ha ∂θ(x, bθ) ˙ b θ + eθ>Γ−1bθ˙ = ∂ha ∂x (x, bθ) (f (x) + F(x)θ ? + g(x)u) +∂ha ∂θ(x, bθ)Γτ (x, bθ) + ∂ha ∂x(x, bθ)F(x) bθ − Γ  ∂ha ∂θ(x, bθ) >! −∂ha ∂x (x, bθ)F(x) θ − Γb  ∂ha ∂θ(x, bθ) >! + eθTτ (x, bθ) = ∂ha ∂x (x, bθ) f (x) + F(x) θ − Γb  ∂ha ∂θ(x, bθ) >! + g(x)u ! +∂ha ∂x (x, bθ)F(x) θ + Γe  ∂ha ∂θ(x, bθ) >! +∂ha ∂θ(x, bθ)Γτ (x, bθ) + eθ > τ (x, bθ) ≥  ∂ha ∂θ(x, bθ)Γ + eθ >  ∂h_a ∂x (x, bθ)F(x) > + τ (x, bθ) ! ≥ 0

TABLE I. Calculation of ˙h as used in the proof of the main result.

with θ unknown and the safety function ha(x) = 1 − x2

defining the state safe set S = {x ∈ R | x2 ≤ 1}. Assume that x0∈ int(S) and ˜θ02≤ c2. The resulting composite safety

function is given by:

h(x, ˆθ) = ha(x) −

1 2γ

−1_θ˜2

(43) with any γ satisfying:

γ ≥ c

2

2ha(x0)

. (44)

We additionally define the following sets:

U = {(x, ˜_{θ) ∈ R}2 | x ∈ S} (45) H0= {(x, ˜θ) ∈ R2 | h(x, ˆθ) ≥ 0} (46)

We note that the set U extends infinitely along the ˜θ-axis, and completely contains H0. Furthermore, H0 ∩ ∂U =

{(−1, 0), (1, 0)}. The time derivative of the composite safety function is given by:

˙h(x, ˆθ, u) = −2x(ˆθ + u) + ˜θ(−2x + τ (x)) (47) for θ = γτ (x). Choosing the update law τ (x) = 2x˙ˆ and controller u = −ˆθ + 1₂xα(ha(x)), with extended K∞

function α, we have:

˙h(x, ˆθ) = −x2α(ha(x)) ≥ −α(ha(x)). (48)

as when α(ha(x)) ≥ 0, x2 ≤ 1, and when α(ha(x)) ≤

0, x2 _{≥ 1. Noting the construction of U , we have the}

implication that (x, ˜θ) ∈ U =⇒ ˙h(x, ˆθ) ≤ 0. The closed-loop state and parameter error dynamics are given by:

" ˙ x ˙˜ θ # = _˜ θ + 1₂xα(ha(x)) −2γx  = _˜ θ − F (x) −g(x)  , (49) which has an unstable equilibrium point at the origin. This system is an example of a Li´enard system (like the Van der Pol oscillator) as in [20], with F (x) = −1₂xα(ha(x)) and

g(x) = 2γx. For systems of the this form, the following theorem, attributed to Li´enard, provides the existence of a unique, stable limit cycle:

Theorem 4 (Li´enard’s Theorem, [20]). Under the assump-tion that F, g ∈ C1

(R), F and g are odd functions of x, xg(x) > 0 for x 6= 0, F (0) = 0, F0(0) < 0, F has single positive zero at x = a, and F increases monotonically to infinity for x ≥ a as x → ∞, it follows that the Li´enard system(49) has exactly one limit cycle and it is stable.

If α is continuously differentiable in addition to an ex-tended K∞function, the assumptions of this theorem are met

by the functions given in (49). We note that a = 1 in this given example. Thus we can conclude that the system (49) has a stable periodic orbit, which we denote Φ. We denote the open set in R2 _{enclosed by the limit cycle as int(Φ).}

Additionally, the proof of this theorem as in [20] implies the following corollary regarding the stable limit cycle: Corollary 1. The stable limit cycle Φ is symmetric about the origin and passes through a point, denoted asP2= (x2, ˜θ2),

such thatx2> a.

Given that a = 1, this corollary reveals that the stable limit cycle leaves the set U , for which the state is considered safe. Additionally, as the limit cycle is symmetric about the origin, and the origin is an unstable equilibrium, the origin is contained in int(Φ).

This corollary also implies that H0⊂ (Φ∪int(Φ)). To see

this, note that as the limit cycle encircles the origin, it must reenter the set U after leaving the point P2. At any point

v = (v1, v2) ∈ U that the limit cycle enters, we must have

h(v) ≤ 0, given the two points in H0∩ ∂U . Once the limit

cycle enters U , we have ˙h ≤ 0 until the limit cycle leaves U as previously noted. Thus, h ≤ 0 along the portion of the limit cycle contained in U , implying H0⊂ (Φ ∪ int(Φ)). To

complete the proof, we will employ the following definition and lemma from [8]:

Definition 11 (Positive Limit Set). The positive limit set L+ is defined as all points p ∈ R2 such that there is a sequence {tn} with tn → ∞ as n → ∞, and (x(tn), ˜θ(tn)) → p as

n → ∞.

Lemma 1. If a solution (x(t), ˜θ(t)) of (49) is bounded for t ≥ 0, then its positive limit set L+ _{is a nonempty, compact,}

invariant set, and (x(t), ˜θ(t)) approaches L+ _{ast → ∞.}

We note that the unstable equilibrium point is not con-tained within the positive limit set L+. As the 0-superlevel set of h, and thus all possible initial conditions given our bound on ˜θ0, are contained inside the limit cycle, all solutions

to (49) are bounded (by the limit cycle). Furthermore, L+₌

Φ, and thus all solutions starting in the 0-superlevel approach set approach Φ. As the point P2∈ Φ, and P2∈ U , we see/

that any solution starting in the 0-superlevel set of h leaves the desired state safe set S. Hence, the relaxation does not achieve safety of the state as desired, as seen in Figure 1.

-1.5 -1 -0.5 0 0.5 1 1.5 -8 -6 -4 -2 0 2 4 6 8

Fig. 1. Evolution of the system governed by (49) with α(r) = kr, k = 10, (x0, ˜θ0) = (0.2, 1), c = 5, and γ = 26 achieving the lower bound.

VI. ADAPTIVECRUISECONTROL

To demonstrate how an aCBF can be used to render a system adaptively safe, we consider the problem of adaptive cruise control (ACC) as posed in [1]. The dynamics of the system are given by:

d dt  v D  =  0 v0− v  − 1 m 1 v v2 0 0 0    f0 f1 f2  + 1 m 0  u (50) with v the velocity of the vehicle, D the distance between the vehicle and a leading vehicle traveling at a fixed velocity v0,

m the vehicle’s mass, and f0, f1, and f2unknown parameters

associated with rolling frictional force. In this problem, we seek to drive the velocity to a desired velocity, vd, while

simultaneously ensuring the distance between the vehicles satisfies a safety constraint given by:

D ≥ 1.8v. (51)

The parameters f0, f1, and f2 are often determined

empiri-cally, and if they are not accurate, the desired velocity may not be accurately tracked. Furthermore, if the parameters do

not exactly match the true parameters, it may not be possible to certify that the system will satisfy the safety constraint.

The control objective of tracking a desired velocity can be achieved with a hand-designed controller kd or encoded

using a CLF, and the safety constraint can be encoded using a CBF. Additional constraints on the maximum acceleration and deceleration can be enforced to maintain passenger comfort. To handle uncertainty in the parameters, we utilize the tool of aCBFs to maintain and update estimates of these parameters. An aCBF that yields desirable results is defined as the following continuously differentiable function:

ha(v, D) =

(

α2 if D − 1.8v ≥ α

α2_{− (D − 1.8v − α)}2 _{if D − 1.8v < α}

for α > 0. This particular construction of hais constant away

from the safety boundary and diminishes to 0 (quadratically to preserve differentiability) as the boundary is approached. In practice, this is to handle the fact that superlevel sets of the composite safety function h are forward invariant. In regions where ha is constant, ∂h_∂xa, and thus the update law in (39),

is 0, thus making ˙h = 0 as in the first equality in Table I. aCBF-QP Controller: A simple proportional controller on tracking error v − vd can be implemented and achieve good

tracking performance, but is not necessarily safe. A CBF alone would not ensure the safety of this controller with model uncertainty, but treating the proportional controller as kd in aCBF-QP with an aCBF, safety can be achieved.

aCLF-aCBF-QP Controller: Additionally, we can unify aCLF and aCBFs in a quadratic program based controller to receive the benefits of optimal and adaptive tracking while remaining safe. Separate estimates of the parameters are mainted for the aCLF and the aCBF, as the form of the update laws in (17) and (39) may not be simultaneously satisfiable for only one estimate of the parameters. The CLF in [1] on the velocity tracking error v − vd, given by Va = (v − vd)2,

also satisfies the aCLF condition (11). Letting x = (v, z) and b

θ and bψ be parameter estimates associated with the aCLF and aCBF, respectively, we formulate a QP-based controller: k(x, bθ, bψ) = argmin u∈U J (u) + cV(x)δV + cp(x)δp s.t. L˜fclfVa(x, bθ) + LgVa(x, bθ)u ≤ −α3(kxk, bθ) + δV L˜fcbfha(x, bψ) + Lgha(x, bψ)u ≥ 0 u ≤ umax+ δp u ≥ −umax− δp δV, δp≥ 0

with parameter updates for bθ and bψ as in (17) and (39), respectively. δV and δp are relaxations to the optimization

problem to ensure its feasibility, while safety is ensured. The functions cV and cp are Lipschitz continuous and are

used to achieve smoothness. With initial parameter estimates _ˆ

f0 fˆ1 fˆ2 = 10 f0? f1? f2? (less friction than

0 5 10 15 20 -150 -100 -50 0 50 100 0 5 10 15 20 12 14 16 18 20 22 24 26 0 5 10 15 20 -20 0 20 40 60

Fig. 2. Comparison of different adaptive and non-adaptive control methodologies. The aCBF-QP is able to enforce safety of the proportional controller (left). An aCLF controller is able to track the desired velocity with zero steady state error (center). Both aCBF controllers are able to keep the vehicle within the safe region for all time (right)

We see that the proportional controller fails to keep the vehicle safe, but filtering it with the aCBF-QP keeps it safe (with D ≥ 1.8v for all time) even with model uncertainty. A CLF-CBF controller with no adaptive elements fails to either track the desired velocity (with steady state error) or keep the vehicle safe. The CLF-aCBF controller keeps the vehicle safe but has steady state tracking error, while an aCLF-aCBF controller accurately tracks the desired velocity with no steady state error, and keeps the vehicle safe.

VII. CONCLUSION

We presented a novel approach for ensuring the safety of a system under a form of parametric uncertainty. This approach builds off the structure established with adaptive Control Lyapunov Functions, and highlights the differences that must be considered when ensuring the forward invariance of a specific set. Future work includes considering this framework within a batched-data framework, in which initial parametric uncertainty can be iteratively and episodically reduced to permit less conservative safe sets.

REFERENCES

[1] A. Ames, J. Grizzle, and P. Tabuada. Control barrier function based quadratic programs with application to adaptive cruise control. In 53rd IEEE Conference on Decision and Control, pages 6271–6278. IEEE, 2014.

[2] A. D. Ames, X. Xu, J. W. Grizzle, and P. Tabuada. Control barrier function based quadratic programs for safety critical systems. IEEE Transactions on Automatic Control, 62(8):3861–3876, 2017. [3] Z. Artstein. Stabilization with relaxed controls. Nonlinear Analysis:

Theory, Methods & Applications, 7(11):1163–1173, 1983.

[4] S. Boyd and L. Vandenberghe. Convex optimization. Cambridge university press, 2004.

[5] R. Cheng, G. Orosz, R. M. Murray, and J. W. Burdick. End-to-end safe reinforcement learning through barrier functions for safety-critical continuous control tasks. arXiv preprint arXiv:1903.08792, 2019. [6] J. F. Fisac, A. K. Akametalu, M. N. Zeilinger, S. Kaynama, J. Gillula,

and C. J. Tomlin. A general safety framework for learning-based control in uncertain robotic systems. IEEE Transactions on Automatic Control, 2018.

[7] T. Gurriet, A. Singletary, J. Reher, L. Ciarletta, E. Feron, and A. Ames. Towards a framework for realizable safety critical control through active set invariance. In Proc. of the 9th ACM/IEEE International Conf. on Cyber-Physical Systems, pages 98–106. IEEE Press, 2018. [8] H.K. Khalil. Nonlinear Systems - 3rd Edition. PH, Upper Saddle

River, NJ, 2002.

[9] S. Kolathaya and A. D. Ames. Input-to-state safety with control barrier functions. IEEE control systems letters, 3(1):108–113, 2018. [10] M. Krsti´c, I. Kanellakopoulos, and P. V. Kokotovi´c. Nonlinear and

adaptive control design. Wiley New York, 1995.

[11] M. Krsti´c and P. V. Kokotovi´c. Control lyapunov functions for adaptive nonlinear stabilization. Systems & Control Letters, 26(1):17–23, 1995. [12] M. Krsti´c and P. V. Kokotovi´c. Modular approach to adaptive nonlinear

stabilization. Automatica, 32(4):625–629, 1996.

[13] Z. Li and M. Krsti´c. Optimal design of adaptive tracking controllers for non-linear systems. Automatica, 33(8):1459–1473, 1997. [14] Y. Lin and E. D. Sontag. A universal formula for stabilization with

bounded controls. Sys. & Control Letters, 16(6):393–397, 1991. [15] J. Moore and R. Tedrake. Adaptive control design for underactuated

systems using sums-of-squares optimization. In 2014 American Control Conference, pages 721–728. IEEE, 2014.

[16] B. Morris, M. J. Powell, and A. D. Ames. Sufficient conditions for the lipschitz continuity of qp-based multi-objective control of humanoid robots. In 52nd IEEE Conference on Decision and Control, pages 2920–2926. IEEE, 2013.

[17] M. Nagumo. ¨Uber die lage der integralkurven gew¨ohnlicher differen-tialgleichungen. Proceedings of the Physico-Mathematical Society of Japan. 3rd Series, 24:551–559, 1942.

[18] Q. Nguyen and K. Sreenath. Exponential control barrier functions for enforcing high relative-degree safety-critical constraints. In 2016 American Control Conference (ACC), pages 322–328. IEEE, 2016. [19] M. Ohnishi, L. Wang, G. Notomista, and M. Egerstedt.

Barrier-certified adaptive reinforcement learning with applications to brushbot navigation. IEEE Transactions on Robotics, 2019.

[20] L. Perko. Differential equations and dynamical systems, volume 7. Springer Science & Business Media, 2013.

[21] S. Prajna. Optimization-based methods for nonlinear and hybrid systems verification. PhD thesis, Caltech, 2005.

[22] E. D. Sontag. Smooth stabilization implies coprime factorization. IEEE transactions on automatic control, 34(4):435–443, 1989. [23] E. D. Sontag. A universal construction of artstein’s theorem on

nonlinear stabilization. Systems & control letters, 13(2):117–123, 1989.

[24] K. P. Tee, S. S. Ge, and E. H. Tay. Barrier lyapunov functions for the control of output-constrained nonlinear systems. Automatica, 45(4):918–927, 2009.

[25] L. Wang, A. D. Ames, and M. Egerstedt. Safe certificate-based maneuvers for teams of quadrotors using differential flatness. In 2017 IEEE International Conference on Robotics and Automation (ICRA), pages 3293–3298. IEEE, 2017.

[26] L. Wang, E. A. Theodorou, and M. Egerstedt. Safe learning of quadro-tor dynamics using barrier certificates. In 2018 IEEE International Conference on Robotics and Automation (ICRA), pages 2460–2465. IEEE, 2018.

[27] P. Wieland and F. Allg¨ower. Constructive safety using control barrier functions. IFAC Proceedings Volumes, 40(12):462–467, 2007. [28] X. Xu, P. Tabuada, J. W. Grizzle, and A. D. Ames. Robustness of

con-trol barrier functions for safety critical concon-trol. IFAC-PapersOnLine, 48(27):54–61, 2015.